We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Privately speaking - issue 1, April 2015

Privacy is a fast developing area of law, both in New Zealand and internationally, and the risks for organisations from privacy breaches can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.

NEW ZEALAND

Foreign ownership register

Land Information New Zealand (LINZ) has warned that designing an accurate foreign ownership of land register may raise privacy and Bill of Rights (BoRA) issues. The register’s accuracy would require establishing the ultimate owner of companies and trusts, and would require solicitors to provide citizenship information about buyers.

The Australian Government has established a register of foreign investment in the residential property market and is considering expanding this to include rural land purchases. The New Zealand Government has been publicly sceptical about how effective the policy will be but, recognising that there is some support for it in the electorate, has said it will follow with interest what happens in Australia.

The Privacy Commissioner has advised power companies to take “additional care” in how they look after the data collected by smart meters. They should inform consumers how the data will be used, and have “strong security standards to ensure information is transmitted safely online”.

Consumer concerns have been raised over Samsung’s smart TV voice recognition feature. The accompanying privacy policy states: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.”

Criticisms include that the policy “leaves users with no knowledge or control over where the personal information goes or who has access to it”. In response, Samsung has reiterated that the captured data is encrypted to keep it safe.

APEC hopes to have an update of its privacy framework completed by the end of this year. The New Zealand Privacy Commissioner has undertaken the review as part of an Australia, Canada and New Zealand stocktake group.

Areas identified for strengthening include:

introducing the concept of privacy management programmes

adding breach notification to the list of remedies, and

outlining factors to be considered in balancing trade considerations when restricting cross-border transfers for privacy reasons.

The Privacy Commissioner may create a central register to record Police requests for personal data without search warrants from service providers such as airlines, banks, electricity companies, telcos and internet providers. Police are said to rely on the Privacy Act’s Principle 11, which permits disclosure of personal information where required “for the maintenance of the law”. The District Court has queried the legality of such demands.

According to the Identity Theft Resource Center, the number of US data breaches hit a record high of 783 in 2014, disclosing nearly 86 million records. The medical/healthcare industry accounted for 42.5% of the reported breaches and over 8 million disclosed records, followed by the business sector with 33% (but over 68 million disclosed records).

The financial sector performed best – accounting for 5.5% of breaches and only 1.4% of disclosed records. However, Kaspersky Lab (a cybersecurity firm), has released a report showing that hackers have stolen up to $1 billion from more than 100 financial institutions in 30 countries.

Linkedin has agreed to pay US$1.25 million and to implement industry-standard data security protocols to settle a user privacy class action suit. In 2012, Linkedin was hacked and the passwords for nearly 6.5 million users were stolen. Each claimant is likely to receive up to $50 from the $1.25 million settlement fund.

Target has agreed to US$10 million to settle its 2013 data breach, which exposed the credit card and personal information of up to 110 million customers.

Affected customers will be eligible to receive damages of up to $10,000 each and can claim for time spent dealing with the consequences of the breach, although recovery is limited to $10 an hour for up to two hours. Target will also implement measures to better safeguard consumer data. In the 2014 financial year, Target’s gross expenses arising from the breach topped US$191 million.

Claimants’ entitlement to bring data breach class actions is currently a hot topic in the US. In a March 2015 US District Court decision, the Judge held that the plaintiffs did not have standing to sue because they weren’t able to demonstrate “actual misuse of the hacked data or specifically allege how such misuse is certainly impending”. In other words, the privacy breach is not in and of itself sufficient to prove standing. Similarly, in New Zealand, the Privacy Act expressly states its privacy principles generally “do not confer any legal right enforceable in a court of law”.

The Federal Trade Commission (FTC) has released a report detailing best consumer privacy and security practices for businesses engaged in the “Internet of Things” (IoT). The IoT refers to the connection of everyday devices to the Internet and the transmission of data between those devices. This is to be a focus of the FTC’s enforcement action in the future.

The English Court of Appeal, in Google v Vidal Hall, determined two important issues of law - whether the cause of action for misuse of private information is a tort, and whether a claim for damage can be made under section 13 (compensation) of the Data Protection Act 1998 (DPA) without showing pecuniary loss.

The case concerns Google’s collection of information about the browsing habits of Safari users without their knowledge and consent. The Court ruled that misuse of private information should be considered a tort, rather than an equitable claim for breach of confidence. The Court also held that the DPA permits compensation for non-pecuniary loss, such as distress, where privacy rights have been violated. In reaching this conclusion, the Court noted that distress is “often the only real damage caused by a contravention”.

The UK Information Commissioner’s Office (ICO) has ordered Google to sign a formal undertaking to improve its “vague” privacy policy by addressing:

the lack of easily accessible information describing the ways in which, and the purposes for which, Google will process personal data, and

the lack of sufficient explanation of technical terms to service users.

Google must fix these issues by August 2015.

Outside of the UK, French and Spanish data protection authorities have fined Google €150,000 and €900,000 respectively for breach of their privacy laws and the Dutch data protection authority is currently threatening Google with a €15 million fine.

New research shows that almost half of UK consumers are concerned that their personal data is not safe and that most rate data security as equally important to product and service quality when choosing where to shop.

Compare jurisdictions: BYOD: Bring Your Own Device

"Lexology is a good barometer of a firm's expertise as the articles showcase a firm's understanding of the issues involved and how up to date their knowledge is. It's a good one stop solution where one is able to view the same law/cases from different perspectives; on the whole I would rate Lexology as a good service."